US20090276826A1 - Image forming apparatus, method, and computer-readable recording medium for access control - Google Patents
Image forming apparatus, method, and computer-readable recording medium for access control Download PDFInfo
- Publication number
- US20090276826A1 US20090276826A1 US12/423,884 US42388409A US2009276826A1 US 20090276826 A1 US20090276826 A1 US 20090276826A1 US 42388409 A US42388409 A US 42388409A US 2009276826 A1 US2009276826 A1 US 2009276826A1
- Authority
- US
- United States
- Prior art keywords
- access authorization
- programs
- application
- access
- change information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/629—Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
- G06F21/608—Secure printing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/84—Protecting input, output or interconnection devices output devices, e.g. displays or monitors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present invention relates to an image forming apparatus, an access controlling method, and a computer-readable recording medium for access control.
- image forming apparatuses that allow new applications to be developed and installed therein after the image forming apparatuses have been shipped (see, for example, Japanese Laid-Open Patent Publication No. 2005-269619). That is, new applications using a publicly available API (Application Program Interface) written in general programming languages such as C language or Java (Registered Trademark) are developed and installed in image forming apparatuses after the image forming apparatuses have been shipped.
- API Application Program Interface
- C language or Java Registered Trademark
- code-based access control can be performed with a security mechanism being provided as standard equipment to an execution environment of Java (Registered Trademark).
- access authorization can be set in correspondence with the location of a program or a person of a signature of program inside data referred to as “policy”.
- policy can be set in correspondence with the location of a program or a person of a signature of program inside data referred to as “policy”.
- defining the policies for each application is burdensome for an administrator and increases the data amount (information amount) of the policies. This may result in degrading of performance.
- applications are, for example, classified into different groups (or divided into different levels) according to the credibility of each application and access authorizations are set in units of each group (or level) inside the policy.
- the process of classifying the applications would be meaningless if the grading of the groups (grades of the levels) become too minute.
- the classifying is effective where the applications are classified into substantially large groups (reducing the number of grades of the levels).
- the present invention may provide an image forming apparatus, an access controlling method, and a computer-readable recording medium that substantially eliminate one or more of the problems caused by the limitations and disadvantages of the related art.
- an embodiment of the present invention provides an image forming apparatus to which one or more programs can be added, the image forming apparatus including: a managing part configured to manage access authorization information set for each of groups into which the programs are categorized; a displaying part configured to display a setting screen in which access authorization setting information is set in correspondence with each of the programs; a changing part configured to change a range of access authorization granted to the programs according to access authorization change information, the access authorization change information including definitions of change information corresponding to the access authorization setting information set in the setting screen; and a determining part configured to determine whether the access authorization can be granted to the programs.
- another embodiment of the present invention provides an access controlling method executed by an image forming apparatus to which one or more programs can be added, the method including the steps of: managing access authorization information set for each of groups into which the programs are categorized; displaying a setting screen in which access authorization setting information is set in correspondence with each of the programs; changing a range of access authorization granted to the programs according to access authorization change information, the access authorization change information including definitions of change information corresponding to the access authorization setting information set in the setting screen; and determining whether the access authorization can be granted to the programs.
- yet another embodiment of the present invention provides a computer-readable recording medium on which a program for causing an image forming apparatus to execute an access controlling method is recorded, the image forming apparatus being able to have one or more programs added, the access controlling method including the steps of: managing access authorization information set for each of groups into which the programs are categorized; displaying a setting screen in which access authorization setting information is set in correspondence with each of the programs; changing a range of access authorization granted to the programs according to access authorization change information, the access authorization change information including definitions of change information corresponding to the access authorization setting information set in the setting screen; and determining whether the access authorization can be granted to the programs.
- FIG. 1 is a schematic diagram illustrating a hardware configuration of a multifunction machine (image forming apparatus) according to an embodiment of the present invention
- FIG. 2 is a schematic diagram illustrating a software configuration of a multifunction machine according to an embodiment of the present invention
- FIG. 3 is a schematic diagram illustrating a configuration of a Java Servlet Development Kit (JSDK) application according to an embodiment of the present invention
- FIG. 4 is a schematic diagram illustrating an example of a definition of a policy configuration file according to an embodiment of the present invention
- FIG. 5 is a schematic diagram for describing a Protection Domain
- FIG. 6 is a schematic diagram illustrating an example of a format of the security patch
- FIG. 7 is a schematic diagram illustrating written examples of the CalledBy field
- FIG. 8 is a schematic diagram illustrating a first written example of a State field
- FIG. 9 is a schematic diagram illustrating a second written example of a State field
- FIG. 10 is a schematic diagram illustrating processes executed by a JSDK application
- FIG. 11 illustrates examples of definitions of a application management file
- FIG. 12 is a schematic diagram illustrating an example of an application setting screen
- FIG. 13 is a flowchart for describing an activation process of a JSDK application according to an embodiment of the present invention.
- FIG. 14 is a schematic diagram illustrating an example of a policy loaded as an object
- FIG. 15 is a schematic diagram illustrating dynamic changing of policy expressed in the form of state transition of a ProtectionDomain
- FIG. 16 is a sequence diagram for describing processes performed when dynamically changing policy
- FIG. 17 is a schematic diagram for describing an example of procedures starting from development to operation of a JSDK application.
- FIG. 18 is a schematic diagram illustrating an example of an application development request form.
- FIG. 1 is a schematic diagram illustrating a hardware configuration of a multifunction machine (image forming apparatus) 10 according to an embodiment of the present invention.
- the multifunction machine 10 illustrated in FIG. 1 includes, for example, a controller 201 , an operations panel 202 , a facsimile control unit (FCU) 203 , and an imaging part 204 , and a printing part 205 .
- FCU facsimile control unit
- the controller 201 includes a CPU (Central Processing Unit) 211 , an ASIC (Application Specific Integrated Circuit) 212 , a NB (North Bridge) 221 , a SB (South Bridge) 222 , a MEM-P (Memory-P) 231 , a MEM-C (Memory-C) 232 , a HDD (Hard Disk Drive) 233 , a memory card slot 234 , a NIC (Network Interface Controller) 241 , a USB device 242 , a IEEE 1394 device 243 , and a Centronics device 244 .
- the below-described embodiment of a process (function) of controlling access may be executed with a program recorded on a computer-readable recording medium 100 that is loaded to the image forming apparatus 10 .
- the CPU 211 is an IC (Integrated Circuit) for performing various data processes.
- the ASIC 212 is an IC for performing various image processes.
- the NB 221 is a north bridge of the controller 201 .
- the SP 222 is a south bridge of the controller 201 .
- the MEN-P 231 is a system memory of the multifunction machine 10 .
- the MEM-C 232 is a local memory of the multifunction machine 10 .
- the HDD 233 is a storage device of the multifunction machine 10 .
- the memory card slot 234 is a slot for inserting a memory card 235 into.
- the NIC 241 is a controller for network communications according to MAC addresses.
- the USB device 242 is a device for providing connections with USB standard terminals.
- the IEEE 1394 device 243 is a device for providing connections with IEEE 1394 standard terminals.
- the Centronics device 244 is a device for providing connections with Centronics specification terminals.
- the operations panel 202 is an operating part for enabling an operator (user) to input data into the multifunction machine 10 .
- the operations panel 202 is also a display part for enabling the operator to obtain output from the multifunction machine 10 .
- FIG. 2 is a schematic diagram illustrating a software configuration of the multifunction machine 10 according to an embodiment of the present invention.
- the software of the multifunction machine 10 includes, for example, a JSDK (Java Servlet Development Kit) application 30 , a JSDK platform 40 , and a native service layer 50 .
- the processes (functions) included in the software are executed by the CPU 211 .
- the native service layer 50 provides interfaces that enable upper layer modules to use functions provided by the hardware and the software of the multifunction machine 10 and performs controls to realize the functions in response to calls requesting the interfaces (requests to use the functions).
- the native service layer 50 includes a module for providing an interface related to controlling network communications, a module for providing an interface related to controlling a facsimile, a module for providing an interface related to controlling delivery of stored documents (document (image) data stored in the HDD 233 ), a module for providing an interface related to controlling the imaging part 204 or the printing part 205 , a module for providing an interface related to controlling the memory 231 , 232 or the HDD 233 , a module for providing an interface related to controlling the operations panel 202 , a module for providing an interface related to controlling an authorizing process or a billing process, and a module for providing an interface related to managing user data.
- the JSDK platform 40 is a software platform for providing an execution environment of the JSDK application 30 .
- the JSDK platform 40 provides Java (Registered Trademark) interfaces associated with the native service layer 50 with respect to upper layer modules.
- the JSDK platform 40 includes, for example, classes of Java (Registered Trademark) standard, a class library related to classes expanded for the multifunction machine 10 , and a Java (Registered Trademark) virtual machine (VM) 41 .
- the VM 41 controls execution of the JSDK application 30 while sequentially interpreting Java (Registered Trademark) byte codes.
- the VM 41 controls access of the JSDK application 30 with respect to resources such as files, network sockets, and printers according to a policy defined beforehand by the policy configuration file 70 .
- the VM 41 is configured to report (call) to an instance (Security Manager object) of a Security Manager class when access is made to a resource.
- the Security Manager object determines whether access to the resource is permissible according to the policy configuration file 70 .
- the JSDK platform 40 is loaded as an OSGI (Open Service Gateway initiative) platform.
- the OSGi platform which is standard technology by the OSGi alliance, is a software platform for providing an execution environment of software components fabricated according to open software modularization technology based on Java (Registered Trademark) language.
- the Java (Registered Trademark) language software is loaded in a form of a software component referred to as a “bundle”.
- a single bundle is composed of a single JAR (Java ARchive). Each bundle can be dynamically installed without requiring rebooting of the multifunction machine 10 .
- the JSDK application 30 is an application fabricated by a dedicated SDK (Software Development Kit) disclosed in the JSDK platform 40 (hereinafter referred to as “SDK application”).
- SDK application Software Development Kit
- Java Java
- the JSDK application 30 includes, for example, a SAS (SDK Application Service) manager 31 , an application bundle 320 , and a service bundle 330 .
- the SAS manager is for controlling, for example, installing (addition), uninstalling (deletion), booting, and cancelling booting of other JSDK applications 30 (e.g., application bundle 320 , service bundle 330 ).
- the application bundle 320 serves as a bundle of the JSDK application 30 for displaying a control screen in the operations panel 202 and allowing an end user to directly operate on (use) the control screen.
- a scanning application 321 is illustrated as an example of the application bundle 320 .
- the scanning application 321 is an application for enabling an image to be read from a document by the imaging part 204 .
- the service bundle 330 serves as a bundle of the JSDK application 30 for providing services to, for example, the application bundle 320 . That is, each service of the service bundle 330 executes a process corresponding to the service bundle 330 in response to a call (request) from, for example, the application bundle 320 and returns a result of the process (process result) to the application bundle 320 .
- a scanning service 331 and a panel service 332 are illustrated as examples of the service bundle 330 .
- the scanning service 331 provides a service related to a function of reading images.
- the panel service 332 provides a service related to controlling the displaying of the operations panel 202 .
- the JSDK application 30 is a Java (Registered Trademark) application developed using a SDK disclosed in the JSDK platform 40 . Therefore, an application developed by a third-party vendor or the like after shipment of the multifunction machine 10 may be installed in the multifunction machine 10 as the JSDK application 30 .
- the multifunction machine 10 conducts code-based access control by dividing the range of access authorization for resources of the multifunction machine 10 into levels (hereinafter referred to as “security levels”) (categorized into groups) and assigning a security level to each JSDK application 30 in correspondence with the credibility of each JSDK application 30 .
- the security level can be identified (distinguished) according to a signature (electronic signature) attached to each JSDK application 30 .
- FIG. 3 is a schematic diagram illustrating a configuration of the JSOK application 30 according to an embodiment of the present invention.
- each JSDK application 30 includes files such as a JAR file 31 and an application management file 51 .
- a signature 33 attached (associated) to the JAR file 31 corresponds to a signature for identifying the security level.
- the signature 33 is, for example, encrypted with a hash value of the JAR file 31 .
- the security level is identified with an encryption key used for encrypting the signature 33 . Besides being used for identifying the security level, the signature 33 is also used for determining whether the JSDK application 30 has been tampered with.
- the security level is divided into three stages of different value. The values of the three stages are level 1 (Lv 1 ), level 2 (Lv 2 ), and level 3 (Lv 3 ). Level 1 (Lv 1 ) has the highest access authorization. Level 3 has the lowest access authorization.
- the access authorization of each security level is defined in the policy configuration file 70 according to specifications of the Java (Registered Trademark) standard.
- FIG. 4 is a schematic diagram illustrating an example of a definition of the policy configuration file 70 according to an embodiment of the present invention.
- the format of the policy configuration file 70 complies with the specifications of the Java (Registered Trademark) standard, details of the format of the policy configuration file 70 are omitted.
- FIG. 4 three grant entries 71 - 73 are illustrated.
- the Lv 1 is designated in the field “Signed By” of the grant entry 71 . Therefore, the definition of the grant entry 71 is applied to the JSDK application 30 having attached the signature 33 with a security level value of Lv 1 .
- the definition of the grant entry 72 is applied to the JSDK application 30 having attached the signature 33 with a security level value of Lv 2
- the definition of the grant entry 73 is applied to the JSDK application 30 having attached the signature 33 with a security level value of Lv 3 .
- the grant entry 71 is set so that all of the packages (“accessClassInPackage.*”) can be accessed during operation (i.e. when the JSDK application 30 of Lv 1 is being executed) (“RuntimePermission”). Further, as illustrated in (b) of the grant entry 71 of FIG. 4 , the grant entry 71 is set so that dynamic link to all of the libraries can be performed. Further, as illustrated in (c) of the grant entry 71 of FIG. 4 , the grant entry 71 is set so that reading (“read”) and writing (“write”) can be performed on all files in the file system.
- access authorization is defined in correspondence with the security level. Therefore, with the multifunction machine 10 , the access authorization of the JSDK application 30 is determined according to the security level corresponding to the signature 33 attached to each JSDK application 30 .
- FIG. 5 is a schematic diagram for describing a Protection Domain.
- the Protection Domain is a set of objects that can be currently directly accessed by the JSDK application 30 or instances of classes included in the JSDK application 30 (i.e. a set of permissions).
- Protection Domain X is applied to a.class and b.class
- Protection Domain Y is applied to c.class and d.class.
- permissions belonging to the Protection Domain X are granted to the a.class and the b.class.
- a single “Permission” is assumed as a single permission in the policy configuration file 70 .
- a single Protection Domain is assumed to correspond to a single grant entry.
- the application management file 51 is a file to which various data are defined. For example, data regarding elements of the JSDK application 30 , data for installing and booting the JSDK application 30 , and other data for management are defined in the application management file 51 .
- the application management file 51 may be associated with the JAR file 31 according to file name.
- the application management file 51 includes a security patch 523 .
- the security patch 523 is a patch (change information or difference information) with respect to definitions of the policies that are statically set in the policy configuration file 70 .
- the multifunction machine 10 can dynamically change the definitions of the policy configuration file 70 by applying the security patch 523 associated with the JSDK application 30 when executing the JSDK application 30 (this function of the multifunction machine 10 is hereinafter referred to as “policy dynamic changing function”).
- FIG. 6 is a schematic diagram illustrating an example of a format of the security patch 523 .
- the format of the security patch 523 basically complies with the format of the policy of the Java (Registered Trademark) standard.
- the part delineated with broken lines is expanded. That is, a CalledBy field and a State field may be added to the grant entry and the permission entry.
- a validation timing (timing in which the entry (grant entry or permission entry) with the CalledBy field added becomes valid) is assigned to the CalledBy field.
- the timing is identified according to the call (request) for a method.
- the CalledBy field is written in a format “CalledBy “from_class name. to_class name” in which “from_class name” is written in a format “ ⁇ class name of origin of call>: ⁇ method name>”, and “to_class_name” is written in a format “class name of destination of call>: ⁇ method name>.
- the method name and the class name of the origin of a call can be omitted.
- a corresponding entry is validated (change of policy) when a getPassWord method of a PassWord class is called.
- a corresponding entry is validated when a getPassWord method of a Password class is called by a dispPassWord method of an Apli1 class.
- the policy is changed when any method of the Password class is executed.
- FIG. 7 is a schematic diagram illustrating written examples of the CalledBy field.
- entries (A) and (B) are defined substantially the same. That is, in a case where a getPassWord of a Password class is called, the CalledBy field (part surrounded by broken lines in FIG. 7 ) defines that permission (authorization) for reading a password file (Password.txt) is granted.
- (A) of FIG. 7 illustrates a case where the CalledBy field is added to the grant entry. Accordingly, when other permission entries are included in the grant entry where the CalledBy field is added to the grant entry, the CalledBy field has an effect on the other permission entries.
- a multifunction machine status (status of the multifunction machine 10 in which the entry with a State field added becomes valid) is assigned to the State field.
- the State field is written in a format [“State State_name”].
- a character string or numeral that specifies a status is written in the “State_name”.
- the state field can be written as follows.
- FIG. 8 is a schematic diagram illustrating a first written example of a State field.
- entries (A) and (B) are defined substantially the same. That is, in a case where the value of the predetermined parameter is “1”, the State field (part surrounded by broken lines in FIG. 8 ) defines that permission (authorization) for reading a password file (Password.txt) is granted.
- (A) of FIG. 8 illustrates a case where the State field is added to the grant entry. Accordingly, when other permission entries are included in the grant entry where the State field is added to the grant entry, the State field has an effect on the other permission entries.
- the State field may be as described as follows.
- FIG. 9 is a schematic diagram illustrating a second written example of a State field.
- This State field specifies that the status of the parameter “counter. A” is “0”. That is, the State field defines that permission to read a password file (Password. txt) is granted in a case where the parameter “counter. A” is 0.
- the validity of the entry is determined by applying an AND condition with respect to the two fields.
- the validity may be determined by applying an OR condition with respect to the two fields.
- FIG. 10 is a schematic diagram illustrating processes executed by the JSDK application 30 .
- Step S 101 When a user (e.g., administrator) inputs a request to display a list of activatable JSDK applications 30 via the operations panel 202 (Step S 101 ), the SAS manager 310 reads the application management files 51 corresponding to each activatable application installed in the multifunction machine 10 (Step S 102 ). Based on definition data of the application management file 51 , an application list screen is displayed on the operation panel 202 (Step S 103 ).
- FIG. 11 illustrates examples of definitions of the application management file 51 .
- the examples of definitions illustrated in FIG. 11 are expressed in a format extending JNLP (Java Network Launching Protocol (JSR-56 specification) based on an XML (eXtensible Markup Language) format.
- JNLP Java Network Launching Protocol
- XML eXtensible Markup Language
- the definition data of the application management file 51 include, for example, an information element 510 encompassed with a ⁇ information> tag and a resource element 520 encompassed with a ⁇ resources> tag.
- a title of the application (application name) is written in a title element 511 .
- a name (vendor name), a telephone number, a facsimile number, and an e-mail address of the vendor of the application are written in a vendor element 512 , a telephone element 513 , a facsimile element 514 , and an email element 515 , respectively.
- a product ID of the application is written in a product-id element 516 .
- a description regarding the application is written in a description element 517 .
- An icon file name of the application is written in an icon element 518 .
- Information regarding resources necessary for executing applications is written in the resource element 520 .
- a file name (path name) of a JAR file of the application is written as a value of a href attribute 521 of a jar element.
- a version of the application is written as a value of a version attribute 522 .
- the security patch 523 is written as a value of a security.patch element. Further, a comment regarding the security patch 523 is written as a value of a comment attribute 524 of the security/patch element. The definition of the security patch 523 is described in detail below.
- Step S 103 the application names and list of icons of each activatable application are displayed on the application list screen according to the title elements 511 and the icon elements 518 of the application management file 51 .
- the SAS manager 310 when the user selects an application (current application) from the applications displayed on the application list screen (Step S 104 ), the SAS manager 310 generates an application setting screen 610 of the current application based on, for example, the application management file 51 associated with the current application and displays the application setting screen 610 on the operations panel 202 (Step S 105 ).
- FIG. 12 is a schematic diagram illustrating an example of the application setting screen 610 .
- the application setting screen 610 displays the items “application name”, “description”, “version”, “product ID”, and “contact address (including “telephone”, “fax”, “email”)” in the same manner as the data written in the application management file 51 .
- Information related to or affecting the security level and the security patch 523 are displayed in a security item 611 and a performance item 613 .
- the security item 611 displays a security level (level 3 ) of the current application and a check button 612 (button for selecting whether to refer to the password file) together with a message “refer to password file”. That is, in a case where the current application requires referral to the password file, the user can arbitrarily select whether to allow such referral by marking the check button 612 .
- the SAS manager 310 determines that the level of the current application is level 3 based on the signature 33 of the current application.
- the character string “refer to password file” is displayed based on a comment attribute 524 of the application management file 51 .
- the password file is a file in which user account information of the multifunction machine 10 is recorded, and is one example of a resource that does not grant reading authorization to an application of level 3 according to the policy configuration file 70 .
- an operation of the current application desired by the user can be selected by marking one of the radio buttons 614 “prioritize security”, “optimum”, and “prioritize performance”.
- the degree in which a policy defined in the policy configuration file 70 should comply with the current application depends on the selection of the radio buttons 614 .
- the degree of compliance with respect to the policy defined in the policy configuration file 70 decreases in an order starting from “prioritize security” ⁇ “optimum” ⁇ “prioritize performance”. However, as a tradeoff with respect to the decrease of compliance, the performance of the multifunction machine 10 improves.
- the SAS manager 310 After the user sets the security item 611 and the performance item 613 and clicks the OK button 615 (Step S 5106 ), the SAS manager 310 records the setting content (content set by the user) to corresponding parameters maintained in the memory or HDD 233 of the multifunction machine 10 (Step S 107 ). More specifically, the setting content with respect to the check button 612 is assigned a value of a password file flag variable (passwdFlag). For example, in a case where the check button 612 is not marked (reference to password file not permitted), “0” is recorded to the password file flag variable. In a case where the check button 612 is marked (reference to password file permitted), “1” is recorded to the password file flag variable.
- a password file flag variable passwdFlag
- the setting content with respect to the radio buttons 614 is recorded with a value of a performance flag variable (performanceFlag). For example, in a case where the radio button “prioritize security” is marked, “1” is recorded to the performance flag variable. In a case where the radio button “optimum” is marked, “2” is recorded to the performance flag variable. In a case where the radio button “prioritize performance” is marked, “3” is recorded to the performance flag variable. Then, in response to a request from the SAS manager 310 , the VM 41 of the JSDK platform 40 activates the current application (Step S 108 ).
- FIG. 13 is a flowchart for describing an activation process of a JSDK application 30 according to an embodiment of the present invention.
- Step S 1081 the VM 41 reads the JAR file 31 of the current application 30 into the memory.
- the signature 33 of the JAR file 31 is examined. For example, it is determined whether the signature 33 is authentic and whether the JAR file 31 has been tampered with. Accordingly, in a case where the JAR file 31 has no signature 33 or where the JAR file 31 has been tampered with, the activation of the JSDK application 30 is cancelled.
- the VM 41 loads a policy corresponding to the security level of the current application 30 (e.g., grant entry corresponding to Lv 3 ) as an object from the policy configuration file 70 (Step S 1082 ).
- a policy corresponding to the security level of the current application 30 e.g., grant entry corresponding to Lv 3
- FIG. 14 is a schematic diagram illustrating an example of a policy loaded as an object.
- a ProtectionDomain 411 is an instance of a Protection Domain class corresponding to the above-described Protection Domain.
- the ProtectionDomain 411 is instantiated with respect to each grant entry corresponding to the security level of the current application in the policy configuration file 70 .
- a PermissionCollection 412 is an instance of a PermissionCollection class for managing a collection of Permission objects.
- a Permission object is instantiated based on a concrete class corresponding to an access authorization granted (permitted) according to each permission entry of the policy configuration file 70 .
- a RuntimePermission object and a FilePermission object are illustrated as examples of the permission objects.
- the relationship between the ProtectionDomain 411 and the PermissionCollection 412 is associated with the corresponding relationships defined in the policy configuration file 70 .
- the VM 41 loads the class definition included in the JAR file 33 of the current application 30 in the memory (Step S 1083 ) and instantiates the current application based on the class definition (Step S 1084 ). Then, the VM 41 executes the instantiated current application (Step S 1085 ).
- This definition corresponds to granting authorization to read the password file (Password. Txt).
- the authorization to read is granted by the CalledBy field and the State field when a Password: getPassword method is called in a case where the value of the password flag (passwdFlag) is “1” (that is, a case where the check button 612 in the application setting screen 610 is marked).
- definitions e.g., password flag, performance flag
- the SAS manager 310 may determine the content to be displayed on the application setting screen 610 based on the writing of the security patch 523 .
- FIG. 15 is a schematic diagram illustrating dynamic changing of policy expressed in the form of state transition of the ProtectionDomain.
- the ProtectionDomain 411 and the PermissionCollection 412 with respect to the application 32 are illustrated in FIG. 15 .
- the application 32 represents an instance of the current application 30 .
- the ProtectionDomain 411 includes four states which are state PD_Lv 3 , state PD_Lv 3 +, state PD_Optimize, and state PD_Performance.
- the state PD_Lv 3 occurs prior to the policy being dynamically changed by the security patch 523 . In this state, regular access authorization with respect to Lv 3 is permitted.
- the state PD_Lv 3 + is where authorization for reading the password file (Password.txt) is permitted in addition to permitting the authorization of Lv 3 .
- the condition for this transition to this state is that the method [Password. getPassword] is being executed based on the permission entry 5231 of the security patch 523 (see FIG. 11 ).
- the password flag being set as “1” by the State entry of the permission entry 5231 serves as a guard condition.
- the state PD_Optimize is where all access authorizations are granted.
- the condition for this transition to this state is that the method [Apli1:init] is being executed based on the permission entry 5232 in a case where the performance flag (performanceFlag) is set with a value “2”.
- the state PD_Performance is where all access authorizations are permitted.
- the condition for this transition to this state is that [Apli1:dispPassWord] is being executed based on the permission entry 5233 in a case where the performance flag (performanceFlag) is set with a value “3”.
- FIG. 16 is a sequence diagram for describing processes performed when dynamically changing policy.
- FIG. 16 illustrates processes performed in a case where the application 32 requests to refer to a password file.
- [apli1:Apli1] represents the class name of the current application 32 (Apli1) and the identification name of the instance (apli1).
- the current application 32 has access authorization corresponding to a protection domain of Lv 3 (that is, a security level of Lv 3 is assigned to the current application 23 ).
- a Password 421 and a PassWordAccess 422 are instances of the Password class and PassWordAccess class loaded into the JSDK platform 40 for accessing the password file (Password. txt).
- the Password class has access authorization corresponding to a protection domain of Lv 2 .
- the PassWordAccess class has access authorization corresponding to a protection domain of Lv 1 .
- sm:SecurityManager 413 is an instance of a class generated for this embodiment by extending a Security Manager class according to the Java (Registered Trademark) standard.
- a dispPassWord method of the current application 32 calls a getPassWord method of the Password 421 in order to obtain password information recorded in a storage device of the multifunction machine 10 (Step S 201 ). Then, a read method (request for referring to password file) is called in the getPassWord method of the Password 421 (Step S 202 ). Because the PasswordAccess 422 is a class which directly accesses the password file, the password access 422 queries whether permission to read the password file is granted by calling the checkPermission method of the sm:SecurityManager 413 in the read method (Step S 203 ).
- the sm:SecurityManager 413 obtains a ProtectionDomain 411 corresponding to the current application 32 from the current application 32 (Step S 204 ). It is to be noted that, sm:SecurityManager 413 can identify the current application 32 (class of the current application 32 ) attempting to access the password file by tracing stack information.
- sm:SecurityManager 413 reports that a Apli1:dispPassword method or a Password:getPassword method is called to the ProtectionDomain (Step S 205 ). According to the report, the ProtectionDomain 411 determines whether state transition is necessary according to the security patch 523 (see FIG. 11 ) of the current application 32 .
- a CalledByfield ([CalledBy “Password:getPassWord”]) is added to the permission entry 5231 of the security patch 523 , and the report of Step S 205 matches the condition of the CalledBy field. Therefore, the ProtectionDomain 411 changes (conducts transition of) its state PD_Lv 3 to a state PD_Lv 3 + and validates the permission entry 5231 . This state transition corresponds to adding a FilePermission object corresponding to the permission entry 5231 to the PermissionCollection 412 (Step S 206 ).
- the Apli1:dispPassWord method is in the middle of being executed. Therefore, in a case where the value of the performance flag (performanceFlag) is “3”, the ProtectionDomain 411 changes (conducts transition) to a PD_Optimize state and validates the permission entry 5233 . In this case, the AllPermission object is added to the PermissionCollection 412 .
- Step S 201 the method being executed (i.e. the method called in Step S 201 ) is Apli1:init in a case where the value of the performance flag (performanceFlag) is “2”, the ProtectionDomain 411 changes (conducts transition) to the PD_Optimize state and validates the permission entry 5232 . In this case, the AllPermission object is added to the PermissionCollection 412 .
- the sm:SecurityManager 413 obtains the PermissionCollection 412 from the ProtectionDomain 411 (Step S 207 ). Then, the sm:SecurityManager 413 queries whether permission to read the password file is granted to the PermissionCollection 412 (Step 208 ). The PermissionCollection 412 determines whether reading permission is granted by confirming whether a Permission object corresponding to reading permission with respect to the password file is included in itself. In this example, the Permission object is added in Step S 206 . Therefore, the PermissionCollection 412 responds to the query by sending a determination result indicating that the reading permission is granted (Step S 209 ).
- the sm:Security Manager 413 reports exiting from the [Password:getPassword] to the ProtectionDomain 411 (Step S 210 ).
- the ProtectionDomain 411 changes (conducts transition of) itself to its initial state (PD_Lv).
- the sm: Security Manager does not exit from the [Password:getPassword] at this timing of reporting to the ProtectionDomain 411 .
- the exiting is reported at this timing because an event with respect to the ProtectionDomain 411 is issued by the SecurityManager 413 .
- the sm:SecurityManager 413 communicates that access permission (reading permission) is granted to the PasswordAccess 422 (Step S 211 ). In response to the grant, the password file is read. In a case where access permission is not granted, the sm:SecurityManager 413 issues an exception. This exception is reported to the current application 32 .
- the event of the ProtectionDomain 411 is issued by the sm:SecurityManager 413 .
- the event may be issued by the current application 32 .
- a policy statically defined in the policy configuration file 70 can be dynamically changed based on the security patch 523 . Therefore, the flexibility of access control by a program can be satisfactorily improved.
- the above-described embodiment is an example where an entry with a CalledBy field or a State field added is validated (i.e. permission is granted to the entry).
- the entry with the CalledBy field or the State field added may be invalidated (i.e. permission may be denied to the entry).
- only permission narrower than initially granted permission may be granted in a specific case.
- FIG. 17 is a schematic diagram for describing the example of procedures (business model) starting from development to operation of the JSDK application 30 .
- a multifunction machine vendor sells a package including a JSDK application 30 for realizing basic functions of the JSDK platform 40 (hereinafter also referred to as “JSDK package”) (Step S 501 ).
- the multifunction machine vendor attaches a signature 33 beforehand to, for example, the JSDK application 30 included in the JSDK package.
- the JSDK application 30 included in the JSDK package is developed by the multifunction machine vendor and is assigned with a high credibility security level such as Lv 1 or Lv 2 .
- the user of the multifunction machine 10 purchases the JSDK package (Step S 502 ) and installs, for example, the JSDK platform 40 in the multifunction machine 10 of the user (Step S 503 ).
- the user activates (uses), for example, the JSDK platform 40 and the JSDK application 30 according to necessity (Step S 504 ).
- an application development vendor serving to develop a JSDK application 30 with extended functions, obtains (purchases) the JSDK platform 40 to be used as a platform for development purposes and develops a new JSDK application 30 on the JSDK platform 40 (Step S 505 ). Then, the application development vendor fabricates an application development request form (Step S 506 ) and requests approval of selling the newly developed JSDK application 30 by sending a JAR file of the newly developed JSDK application 30 together with the application development request form to the multifunction vendor (Step S 507 ).
- FIG. 18 is a schematic diagram illustrating an example of the application development request form.
- FIG. 18 illustrates the application development request form including items such as a service bundle, security level, security patch, security patch reason, and performance.
- the “service bundle” is an item in which the name of the service bundle used by the JSDK application 30 requested for approval (hereinafter referred to as “request target application”) is written.
- the “security level” is an item in which the security level desired for the request target application is written.
- the “security patch” is an item in which the security patch 524 according to the format illustrated in FIG. 6 is written according to necessity.
- the “security patch reason” is an item in which a reason for requiring the security patch 524 is written.
- the “performance” is an item in which a tradeoff between performance and security of the request target application is written. In this example, relationships between performance and security are written in different levels. A method for invalidating the checking of security (checking of permission (access authorization)) for each level is written. In FIG. 18 , the relationships are divided into three levels and written as a) prioritize security, b) optimum, and c) prioritize performance.
- the multifunction machine vendor evaluates (tests) the request target application (Step S 509 ). For example, in the evaluation, verification of whether the amount of resources consumed by the request target application is within a predetermined limit and whether there are any security violations (whether the security patch is appropriate). If the request target application is evaluated as being acceptable, the multifunction machine vendor fabricates a distribution package for the request target application (Step S 510 ).
- the distribution package includes, for example, a JAR file of the request target application and the application management file 51 . Further, the signature 33 is attached to the JAR file according to the requested security level. It is to be noted that the multifunction machine vendor fabricates the signature 33 and the application management file 51 based on the application development request form.
- the multifunction machine vendor provides the distribution package to the application development vendor (Step S 511 ).
- the application development vendor receives the distribution package (Step S 512 ) and sells the distribution package (Step S 513 ) to the user.
- the user purchases the distribution package (Step S 514 ) the user installs the JSDK application 30 included in the distribution package in the multifunction machine 10 of the user (Step S 515 ).
- the JSDK application developed by the application development vendor can be assigned a security level and be permitted to apply the security patch 524 under management by the multifunction machine vendor. Therefore, unauthorized execution of applications can be effectively prevented.
Abstract
Description
- 1. Field of the Invention
- The present invention relates to an image forming apparatus, an access controlling method, and a computer-readable recording medium for access control.
- 2. Description of the Related Art
- In recent image forming apparatuses such as multifunction machines, there are image forming apparatuses that allow new applications to be developed and installed therein after the image forming apparatuses have been shipped (see, for example, Japanese Laid-Open Patent Publication No. 2005-269619). That is, new applications using a publicly available API (Application Program Interface) written in general programming languages such as C language or Java (Registered Trademark) are developed and installed in image forming apparatuses after the image forming apparatuses have been shipped. These image forming apparatuses not only may allow applications developed by the vendor of the image forming apparatuses to be installed but may also allow applications developed by other software vendors to be installed. Under such circumstance where new applications are installed and used by vendors of the image forming apparatuses and other software vendors, undesired events (e.g., leakage of confidential information, inappropriate operation of the image forming apparatus) may occur if access to resources (e.g., programs, data) of the image forming apparatuses are unconditionally permitted. Therefore, appropriate security management (access control) is required for each application.
- In a Java (Registered Trademark) application, code-based access control can be performed with a security mechanism being provided as standard equipment to an execution environment of Java (Registered Trademark). For example, access authorization (permission) can be set in correspondence with the location of a program or a person of a signature of program inside data referred to as “policy”. However, defining the policies for each application (each program) is burdensome for an administrator and increases the data amount (information amount) of the policies. This may result in degrading of performance.
- Therefore, applications are, for example, classified into different groups (or divided into different levels) according to the credibility of each application and access authorizations are set in units of each group (or level) inside the policy. In this case where applications are classified into different groups (or divided into different levels), the process of classifying the applications would be meaningless if the grading of the groups (grades of the levels) become too minute. Thus, the classifying is effective where the applications are classified into substantially large groups (reducing the number of grades of the levels).
- However, there may be a case where a part of access authorization required for executing a function of an application is beyond an access authorization range granted to the group to which the application belongs. That is, there may be a case where a function of an application cannot be realized unless greater access authorization is granted to the application. However, when the range of access authorization granted to the group to which the application belongs is changed (expanded) to a larger range, the access authorization granted to the application may be too large compared to the credibility of the application. There is a desire for a system that can grant access authorization to a particular application as an exception where the access authorization is forbidden to the group to which the application belongs.
- The present invention may provide an image forming apparatus, an access controlling method, and a computer-readable recording medium that substantially eliminate one or more of the problems caused by the limitations and disadvantages of the related art.
- Features and advantages of the present invention are set forth in the description which follows, and in part will become apparent from the description and the accompanying drawings, or may be learned by practice of the invention according to the teachings provided in the description. Objects as well as other features and advantages of the present invention will be realized and attained by an image forming apparatus, an access controlling method, and a computer-readable recording medium particularly pointed out in the specification in such full, clear, concise, and exact terms as to enable a person having ordinary skill in the art to practice the invention.
- To achieve these and other advantages and in accordance with the purpose of the invention, as embodied and broadly described herein, an embodiment of the present invention provides an image forming apparatus to which one or more programs can be added, the image forming apparatus including: a managing part configured to manage access authorization information set for each of groups into which the programs are categorized; a displaying part configured to display a setting screen in which access authorization setting information is set in correspondence with each of the programs; a changing part configured to change a range of access authorization granted to the programs according to access authorization change information, the access authorization change information including definitions of change information corresponding to the access authorization setting information set in the setting screen; and a determining part configured to determine whether the access authorization can be granted to the programs.
- Furthermore, another embodiment of the present invention provides an access controlling method executed by an image forming apparatus to which one or more programs can be added, the method including the steps of: managing access authorization information set for each of groups into which the programs are categorized; displaying a setting screen in which access authorization setting information is set in correspondence with each of the programs; changing a range of access authorization granted to the programs according to access authorization change information, the access authorization change information including definitions of change information corresponding to the access authorization setting information set in the setting screen; and determining whether the access authorization can be granted to the programs.
- Furthermore, yet another embodiment of the present invention provides a computer-readable recording medium on which a program for causing an image forming apparatus to execute an access controlling method is recorded, the image forming apparatus being able to have one or more programs added, the access controlling method including the steps of: managing access authorization information set for each of groups into which the programs are categorized; displaying a setting screen in which access authorization setting information is set in correspondence with each of the programs; changing a range of access authorization granted to the programs according to access authorization change information, the access authorization change information including definitions of change information corresponding to the access authorization setting information set in the setting screen; and determining whether the access authorization can be granted to the programs.
- Other objects, features and advantages of the present invention will become more apparent from the following detailed description when read in conjunction with the accompanying drawings.
-
FIG. 1 is a schematic diagram illustrating a hardware configuration of a multifunction machine (image forming apparatus) according to an embodiment of the present invention; -
FIG. 2 is a schematic diagram illustrating a software configuration of a multifunction machine according to an embodiment of the present invention; -
FIG. 3 is a schematic diagram illustrating a configuration of a Java Servlet Development Kit (JSDK) application according to an embodiment of the present invention; -
FIG. 4 is a schematic diagram illustrating an example of a definition of a policy configuration file according to an embodiment of the present invention; -
FIG. 5 is a schematic diagram for describing a Protection Domain; -
FIG. 6 is a schematic diagram illustrating an example of a format of the security patch; -
FIG. 7 is a schematic diagram illustrating written examples of the CalledBy field; -
FIG. 8 is a schematic diagram illustrating a first written example of a State field; -
FIG. 9 is a schematic diagram illustrating a second written example of a State field; -
FIG. 10 is a schematic diagram illustrating processes executed by a JSDK application; -
FIG. 11 illustrates examples of definitions of a application management file; -
FIG. 12 is a schematic diagram illustrating an example of an application setting screen; -
FIG. 13 is a flowchart for describing an activation process of a JSDK application according to an embodiment of the present invention; -
FIG. 14 is a schematic diagram illustrating an example of a policy loaded as an object; -
FIG. 15 is a schematic diagram illustrating dynamic changing of policy expressed in the form of state transition of a ProtectionDomain; -
FIG. 16 is a sequence diagram for describing processes performed when dynamically changing policy; -
FIG. 17 is a schematic diagram for describing an example of procedures starting from development to operation of a JSDK application; and -
FIG. 18 is a schematic diagram illustrating an example of an application development request form. -
FIG. 1 is a schematic diagram illustrating a hardware configuration of a multifunction machine (image forming apparatus) 10 according to an embodiment of the present invention. Themultifunction machine 10 illustrated inFIG. 1 includes, for example, acontroller 201, anoperations panel 202, a facsimile control unit (FCU) 203, and animaging part 204, and aprinting part 205. - In this embodiment, the
controller 201 includes a CPU (Central Processing Unit) 211, an ASIC (Application Specific Integrated Circuit) 212, a NB (North Bridge) 221, a SB (South Bridge) 222, a MEM-P (Memory-P) 231, a MEM-C (Memory-C) 232, a HDD (Hard Disk Drive) 233, amemory card slot 234, a NIC (Network Interface Controller) 241, aUSB device 242, a IEEE 1394device 243, and a Centronicsdevice 244. The below-described embodiment of a process (function) of controlling access may be executed with a program recorded on a computer-readable recording medium 100 that is loaded to theimage forming apparatus 10. - In this embodiment, the
CPU 211 is an IC (Integrated Circuit) for performing various data processes. The ASIC 212 is an IC for performing various image processes. The NB 221 is a north bridge of thecontroller 201. The SP 222 is a south bridge of thecontroller 201. The MEN-P 231 is a system memory of themultifunction machine 10. The MEM-C 232 is a local memory of themultifunction machine 10. TheHDD 233 is a storage device of themultifunction machine 10. Thememory card slot 234 is a slot for inserting amemory card 235 into. The NIC 241 is a controller for network communications according to MAC addresses. TheUSB device 242 is a device for providing connections with USB standard terminals. The IEEE 1394device 243 is a device for providing connections with IEEE 1394 standard terminals. TheCentronics device 244 is a device for providing connections with Centronics specification terminals. - The
operations panel 202 is an operating part for enabling an operator (user) to input data into themultifunction machine 10. Theoperations panel 202 is also a display part for enabling the operator to obtain output from themultifunction machine 10. -
FIG. 2 is a schematic diagram illustrating a software configuration of themultifunction machine 10 according to an embodiment of the present invention. InFIG. 2 , the software of themultifunction machine 10 includes, for example, a JSDK (Java Servlet Development Kit)application 30, aJSDK platform 40, and anative service layer 50. The processes (functions) included in the software are executed by theCPU 211. - The
native service layer 50 provides interfaces that enable upper layer modules to use functions provided by the hardware and the software of themultifunction machine 10 and performs controls to realize the functions in response to calls requesting the interfaces (requests to use the functions). For example, thenative service layer 50 includes a module for providing an interface related to controlling network communications, a module for providing an interface related to controlling a facsimile, a module for providing an interface related to controlling delivery of stored documents (document (image) data stored in the HDD 233), a module for providing an interface related to controlling theimaging part 204 or theprinting part 205, a module for providing an interface related to controlling thememory HDD 233, a module for providing an interface related to controlling theoperations panel 202, a module for providing an interface related to controlling an authorizing process or a billing process, and a module for providing an interface related to managing user data. - The
JSDK platform 40 is a software platform for providing an execution environment of theJSDK application 30. TheJSDK platform 40 provides Java (Registered Trademark) interfaces associated with thenative service layer 50 with respect to upper layer modules. TheJSDK platform 40 includes, for example, classes of Java (Registered Trademark) standard, a class library related to classes expanded for themultifunction machine 10, and a Java (Registered Trademark) virtual machine (VM) 41. - The
VM 41 controls execution of theJSDK application 30 while sequentially interpreting Java (Registered Trademark) byte codes. As part of controlling the execution of theJSDK application 30, theVM 41 controls access of theJSDK application 30 with respect to resources such as files, network sockets, and printers according to a policy defined beforehand by thepolicy configuration file 70. In other words, as a Java (Registered Trademark) standard mechanism, theVM 41 is configured to report (call) to an instance (Security Manager object) of a Security Manager class when access is made to a resource. In response to the report (call) from theVM 41, the Security Manager object determines whether access to the resource is permissible according to thepolicy configuration file 70. - The
JSDK platform 40 is loaded as an OSGI (Open Service Gateway initiative) platform. The OSGi platform, which is standard technology by the OSGi alliance, is a software platform for providing an execution environment of software components fabricated according to open software modularization technology based on Java (Registered Trademark) language. In the OSGi platform, the Java (Registered Trademark) language software is loaded in a form of a software component referred to as a “bundle”. A single bundle is composed of a single JAR (Java ARchive). Each bundle can be dynamically installed without requiring rebooting of themultifunction machine 10. - The
JSDK application 30 is an application fabricated by a dedicated SDK (Software Development Kit) disclosed in the JSDK platform 40 (hereinafter referred to as “SDK application”). Thus, among the SDK applications, an application developed by using Java (Registered Trademark) is referred to as a JSDK application. - In
FIG. 2 , theJSDK application 30 includes, for example, a SAS (SDK Application Service) manager 31, anapplication bundle 320, and aservice bundle 330. The SAS manager is for controlling, for example, installing (addition), uninstalling (deletion), booting, and cancelling booting of other JSDK applications 30 (e.g.,application bundle 320, service bundle 330). - The
application bundle 320 serves as a bundle of theJSDK application 30 for displaying a control screen in theoperations panel 202 and allowing an end user to directly operate on (use) the control screen. InFIG. 2 , ascanning application 321 is illustrated as an example of theapplication bundle 320. Thescanning application 321 is an application for enabling an image to be read from a document by theimaging part 204. - The
service bundle 330 serves as a bundle of theJSDK application 30 for providing services to, for example, theapplication bundle 320. That is, each service of theservice bundle 330 executes a process corresponding to theservice bundle 330 in response to a call (request) from, for example, theapplication bundle 320 and returns a result of the process (process result) to theapplication bundle 320. InFIG. 2 , ascanning service 331 and apanel service 332 are illustrated as examples of theservice bundle 330. - The
scanning service 331 provides a service related to a function of reading images. Thepanel service 332 provides a service related to controlling the displaying of theoperations panel 202. - Next, management of security related to the
JSDK application 30 in themultifunction machine 10 is described. As described above, theJSDK application 30 is a Java (Registered Trademark) application developed using a SDK disclosed in theJSDK platform 40. Therefore, an application developed by a third-party vendor or the like after shipment of themultifunction machine 10 may be installed in themultifunction machine 10 as theJSDK application 30. - Accordingly, the
multifunction machine 10 conducts code-based access control by dividing the range of access authorization for resources of themultifunction machine 10 into levels (hereinafter referred to as “security levels”) (categorized into groups) and assigning a security level to eachJSDK application 30 in correspondence with the credibility of eachJSDK application 30. The security level can be identified (distinguished) according to a signature (electronic signature) attached to eachJSDK application 30. -
FIG. 3 is a schematic diagram illustrating a configuration of theJSOK application 30 according to an embodiment of the present invention. As illustrated inFIG. 3 , eachJSDK application 30 includes files such as a JAR file 31 and anapplication management file 51. A signature 33 attached (associated) to the JAR file 31 corresponds to a signature for identifying the security level. The signature 33 is, for example, encrypted with a hash value of the JAR file 31. The security level is identified with an encryption key used for encrypting the signature 33. Besides being used for identifying the security level, the signature 33 is also used for determining whether theJSDK application 30 has been tampered with. It is to be noted that, in this embodiment, the security level is divided into three stages of different value. The values of the three stages are level 1 (Lv1), level 2 (Lv2), and level 3 (Lv3). Level 1 (Lv1) has the highest access authorization.Level 3 has the lowest access authorization. - The access authorization of each security level is defined in the
policy configuration file 70 according to specifications of the Java (Registered Trademark) standard. -
FIG. 4 is a schematic diagram illustrating an example of a definition of thepolicy configuration file 70 according to an embodiment of the present invention. InFIG. 4 , because the format of thepolicy configuration file 70 complies with the specifications of the Java (Registered Trademark) standard, details of the format of thepolicy configuration file 70 are omitted. - In
FIG. 4 , three grant entries 71-73 are illustrated. The Lv1 is designated in the field “Signed By” of thegrant entry 71. Therefore, the definition of thegrant entry 71 is applied to theJSDK application 30 having attached the signature 33 with a security level value of Lv1. Likewise, the definition of thegrant entry 72 is applied to theJSDK application 30 having attached the signature 33 with a security level value of Lv2, and the definition of thegrant entry 73 is applied to theJSDK application 30 having attached the signature 33 with a security level value of Lv3. - As illustrated in (a) of the
grant entry 71 ofFIG. 4 , thegrant entry 71 is set so that all of the packages (“accessClassInPackage.*”) can be accessed during operation (i.e. when theJSDK application 30 of Lv1 is being executed) (“RuntimePermission”). Further, as illustrated in (b) of thegrant entry 71 ofFIG. 4 , thegrant entry 71 is set so that dynamic link to all of the libraries can be performed. Further, as illustrated in (c) of thegrant entry 71 ofFIG. 4 , thegrant entry 71 is set so that reading (“read”) and writing (“write”) can be performed on all files in the file system. - Accordingly, in the
policy configuration file 70 access authorization is defined in correspondence with the security level. Therefore, with themultifunction machine 10, the access authorization of theJSDK application 30 is determined according to the security level corresponding to the signature 33 attached to eachJSDK application 30. - Each security level (Lv1, Lv2, Lv3) forms a Protection Domain according to Java (Registered Trademark).
FIG. 5 is a schematic diagram for describing a Protection Domain. The Protection Domain is a set of objects that can be currently directly accessed by theJSDK application 30 or instances of classes included in the JSDK application 30 (i.e. a set of permissions). InFIG. 5 , Protection Domain X is applied to a.class and b.class, and Protection Domain Y is applied to c.class and d.class. In other words, permissions belonging to the Protection Domain X are granted to the a.class and the b.class. Likewise, permissions belonging to the Protection Domain Y are granted to the c.class and the d.class. InFIG. 5 , a single “Permission” is assumed as a single permission in thepolicy configuration file 70. Further, a single Protection Domain is assumed to correspond to a single grant entry. Thus, with themultifunction machine 10 according to an embodiment of the present invention, a protection domain corresponding to Lv1, a protection domain corresponding to Lv2, and a protection domain corresponding to Lv3 are formed. - Returning to
FIG. 3 , theapplication management file 51 is a file to which various data are defined. For example, data regarding elements of theJSDK application 30, data for installing and booting theJSDK application 30, and other data for management are defined in theapplication management file 51. For example, theapplication management file 51 may be associated with the JAR file 31 according to file name. In this embodiment, theapplication management file 51 includes asecurity patch 523. Thesecurity patch 523 is a patch (change information or difference information) with respect to definitions of the policies that are statically set in thepolicy configuration file 70. Themultifunction machine 10 can dynamically change the definitions of thepolicy configuration file 70 by applying thesecurity patch 523 associated with theJSDK application 30 when executing the JSDK application 30 (this function of themultifunction machine 10 is hereinafter referred to as “policy dynamic changing function”). -
FIG. 6 is a schematic diagram illustrating an example of a format of thesecurity patch 523. As illustrated inFIG. 6 , the format of thesecurity patch 523 basically complies with the format of the policy of the Java (Registered Trademark) standard. In this embodiment, the part delineated with broken lines is expanded. That is, a CalledBy field and a State field may be added to the grant entry and the permission entry. - A validation timing (timing in which the entry (grant entry or permission entry) with the CalledBy field added becomes valid) is assigned to the CalledBy field. The timing is identified according to the call (request) for a method. The CalledBy field is written in a format “CalledBy “from_class name. to_class name” in which “from_class name” is written in a format “<class name of origin of call>: <method name>”, and “to_class_name” is written in a format “class name of destination of call>: <method name>. However, the method name and the class name of the origin of a call can be omitted.
- Examples of formats of [“from_class_name. to_class_name”] and their meaning are described below.
- (1) “Password: getPassWord”
- In this case, a corresponding entry is validated (change of policy) when a getPassWord method of a PassWord class is called.
- (2) “Apli1:dispPassWord.Password:getPassWord”
- In this case, a corresponding entry is validated when a getPassWord method of a Password class is called by a dispPassWord method of an Apli1 class.
- In this case, the policy is changed when any method of the Password class is executed.
- For example,
FIG. 7 is a schematic diagram illustrating written examples of the CalledBy field. InFIG. 7 , entries (A) and (B) are defined substantially the same. That is, in a case where a getPassWord of a Password class is called, the CalledBy field (part surrounded by broken lines inFIG. 7 ) defines that permission (authorization) for reading a password file (Password.txt) is granted. (A) ofFIG. 7 illustrates a case where the CalledBy field is added to the grant entry. Accordingly, when other permission entries are included in the grant entry where the CalledBy field is added to the grant entry, the CalledBy field has an effect on the other permission entries. - Further, a multifunction machine status (status of the
multifunction machine 10 in which the entry with a State field added becomes valid) is assigned to the State field. The State field is written in a format [“State State_name”]. A character string or numeral that specifies a status is written in the “State_name”. - For example, in a case where a fixed parameter is predetermined for identifying a status, the state field can be written as follows.
-
FIG. 8 is a schematic diagram illustrating a first written example of a State field. InFIG. 8 , entries (A) and (B) are defined substantially the same. That is, in a case where the value of the predetermined parameter is “1”, the State field (part surrounded by broken lines inFIG. 8 ) defines that permission (authorization) for reading a password file (Password.txt) is granted. (A) ofFIG. 8 illustrates a case where the State field is added to the grant entry. Accordingly, when other permission entries are included in the grant entry where the State field is added to the grant entry, the State field has an effect on the other permission entries. - Further, in a case of specifying the parameter for identifying a status of the
multifunction machine 10 with the State field, the State field may be as described as follows. -
FIG. 9 is a schematic diagram illustrating a second written example of a State field. InFIG. 9 , the State field is described as “State Counter. A==0”. This State field specifies that the status of the parameter “counter. A” is “0”. That is, the State field defines that permission to read a password file (Password. txt) is granted in a case where the parameter “counter. A” is 0. - In this embodiment, when a Calledby field and a State field define the same entry, the validity of the entry is determined by applying an AND condition with respect to the two fields. Alternatively, the validity may be determined by applying an OR condition with respect to the two fields.
- Next, processes executed by the
multifunction machine 10 according to an embodiment of the present invention are described.FIG. 10 is a schematic diagram illustrating processes executed by theJSDK application 30. - When a user (e.g., administrator) inputs a request to display a list of
activatable JSDK applications 30 via the operations panel 202 (Step S101), theSAS manager 310 reads the application management files 51 corresponding to each activatable application installed in the multifunction machine 10 (Step S102). Based on definition data of theapplication management file 51, an application list screen is displayed on the operation panel 202 (Step S103). -
FIG. 11 illustrates examples of definitions of theapplication management file 51. The examples of definitions illustrated inFIG. 11 are expressed in a format extending JNLP (Java Network Launching Protocol (JSR-56 specification) based on an XML (eXtensible Markup Language) format. - In
FIG. 11 , the definition data of theapplication management file 51 include, for example, aninformation element 510 encompassed with a <information> tag and aresource element 520 encompassed with a <resources> tag. - Mainly, information regarding the application and information for identifying the maker of the application are described in the
information element 510. That is, a title of the application (application name) is written in atitle element 511. A name (vendor name), a telephone number, a facsimile number, and an e-mail address of the vendor of the application are written in avendor element 512, atelephone element 513, afacsimile element 514, and anemail element 515, respectively. Further, a product ID of the application is written in a product-id element 516. A description regarding the application is written in a description element 517. An icon file name of the application is written in an icon element 518. - Information regarding resources necessary for executing applications is written in the
resource element 520. For example, a file name (path name) of a JAR file of the application is written as a value of ahref attribute 521 of a jar element. Further, a version of the application is written as a value of aversion attribute 522. - Further, the
security patch 523 is written as a value of a security.patch element. Further, a comment regarding thesecurity patch 523 is written as a value of acomment attribute 524 of the security/patch element. The definition of thesecurity patch 523 is described in detail below. - In Step S103, the application names and list of icons of each activatable application are displayed on the application list screen according to the
title elements 511 and the icon elements 518 of theapplication management file 51. - Then, when the user selects an application (current application) from the applications displayed on the application list screen (Step S104), the
SAS manager 310 generates anapplication setting screen 610 of the current application based on, for example, theapplication management file 51 associated with the current application and displays theapplication setting screen 610 on the operations panel 202 (Step S105). -
FIG. 12 is a schematic diagram illustrating an example of theapplication setting screen 610. Theapplication setting screen 610 displays the items “application name”, “description”, “version”, “product ID”, and “contact address (including “telephone”, “fax”, “email”)” in the same manner as the data written in theapplication management file 51. - Information related to or affecting the security level and the security patch 523 (information related to access authorization of the current application) are displayed in a
security item 611 and aperformance item 613. InFIG. 12 , thesecurity item 611 displays a security level (level 3) of the current application and a check button 612 (button for selecting whether to refer to the password file) together with a message “refer to password file”. That is, in a case where the current application requires referral to the password file, the user can arbitrarily select whether to allow such referral by marking thecheck button 612. TheSAS manager 310 determines that the level of the current application islevel 3 based on the signature 33 of the current application. Further, the character string “refer to password file” is displayed based on acomment attribute 524 of theapplication management file 51. Further, the password file is a file in which user account information of themultifunction machine 10 is recorded, and is one example of a resource that does not grant reading authorization to an application oflevel 3 according to thepolicy configuration file 70. - In the
performance item 613, an operation of the current application desired by the user can be selected by marking one of theradio buttons 614 “prioritize security”, “optimum”, and “prioritize performance”. The degree in which a policy defined in thepolicy configuration file 70 should comply with the current application depends on the selection of theradio buttons 614. The degree of compliance with respect to the policy defined in thepolicy configuration file 70 decreases in an order starting from “prioritize security”→“optimum”→“prioritize performance”. However, as a tradeoff with respect to the decrease of compliance, the performance of themultifunction machine 10 improves. - After the user sets the
security item 611 and theperformance item 613 and clicks the OK button 615 (Step S5106), theSAS manager 310 records the setting content (content set by the user) to corresponding parameters maintained in the memory orHDD 233 of the multifunction machine 10 (Step S107). More specifically, the setting content with respect to thecheck button 612 is assigned a value of a password file flag variable (passwdFlag). For example, in a case where thecheck button 612 is not marked (reference to password file not permitted), “0” is recorded to the password file flag variable. In a case where thecheck button 612 is marked (reference to password file permitted), “1” is recorded to the password file flag variable. The setting content with respect to theradio buttons 614 is recorded with a value of a performance flag variable (performanceFlag). For example, in a case where the radio button “prioritize security” is marked, “1” is recorded to the performance flag variable. In a case where the radio button “optimum” is marked, “2” is recorded to the performance flag variable. In a case where the radio button “prioritize performance” is marked, “3” is recorded to the performance flag variable. Then, in response to a request from theSAS manager 310, theVM 41 of theJSDK platform 40 activates the current application (Step S108). - Next, the Step S108 is described in further detail.
FIG. 13 is a flowchart for describing an activation process of aJSDK application 30 according to an embodiment of the present invention. - In Step S1081, the
VM 41 reads the JAR file 31 of thecurrent application 30 into the memory. In this step, the signature 33 of the JAR file 31 is examined. For example, it is determined whether the signature 33 is authentic and whether the JAR file 31 has been tampered with. Accordingly, in a case where the JAR file 31 has no signature 33 or where the JAR file 31 has been tampered with, the activation of theJSDK application 30 is cancelled. - Then, the
VM 41 loads a policy corresponding to the security level of the current application 30 (e.g., grant entry corresponding to Lv3) as an object from the policy configuration file 70 (Step S1082). -
FIG. 14 is a schematic diagram illustrating an example of a policy loaded as an object. In FIG. 14, aProtectionDomain 411 is an instance of a Protection Domain class corresponding to the above-described Protection Domain. TheProtectionDomain 411 is instantiated with respect to each grant entry corresponding to the security level of the current application in thepolicy configuration file 70. - A
PermissionCollection 412 is an instance of a PermissionCollection class for managing a collection of Permission objects. A Permission object is instantiated based on a concrete class corresponding to an access authorization granted (permitted) according to each permission entry of thepolicy configuration file 70. InFIG. 14 , a RuntimePermission object and a FilePermission object are illustrated as examples of the permission objects. - As illustrated in
FIG. 14 , the relationship between theProtectionDomain 411 and thePermissionCollection 412 is associated with the corresponding relationships defined in thepolicy configuration file 70. - Then, the
VM 41 loads the class definition included in the JAR file 33 of thecurrent application 30 in the memory (Step S1083) and instantiates the current application based on the class definition (Step S1084). Then, theVM 41 executes the instantiated current application (Step S1085). - Next, an operation is described where the application executed by the processes illustrated in
FIGS. 10 and 13 has thesecurity patch 523 applied and has its policy dynamically changed. - Returning to
FIG. 11 illustrating thesecurity patch 523 included in theapplication management file 51, three permission entries are included in thesecurity patch 523. - The definition of the
permission entry 5231 is [permission java. Io.FilePermission “Password.txt”, “read”, CalledBy “Password:getPassWord”, State passwdFlag==1]. This definition corresponds to granting authorization to read the password file (Password. Txt). However, in this embodiment, the authorization to read is granted by the CalledBy field and the State field when a Password: getPassword method is called in a case where the value of the password flag (passwdFlag) is “1” (that is, a case where thecheck button 612 in theapplication setting screen 610 is marked). - The definition of the
permission entry 5232 is [permission java.security.AllPermission State performanceFlag==2, CalledBy “Apli1:int”]. This definition corresponds to granting all authorizations (All Permission). However, in this embodiment, all the authorizations are granted by the CalledBy field and the State field when an [Apl1:init] method is called in a case where the value of the performance flag (performanceFlag) is “2” (that is, a case where “optimum” is selected as theradio button 613 in the application setting screen 610). - The definition of the
permission entry 5233 is [permission java.security.AllPermission State performanceFlag==3, CalledBy “Apli1:dispPassWord”]. This definition corresponds to granting all authorizations (All Permission). However, in this embodiment, all the authorizations are granted by the CalledBy field and the State field when an [Apl1:dispPassWord] method is called in a case where the value of the performance flag (performanceFlag) is “3” (that is, a case where “prioritize performance” is selected as theradio button 613 in the application setting screen 610). - Accordingly, definitions (e.g., password flag, performance flag) are provided in the
security patch 523 in correspondence with parameters set in theapplication setting screen 610. Therefore, theSAS manager 310 may determine the content to be displayed on theapplication setting screen 610 based on the writing of thesecurity patch 523. - The dynamic changing of policy by the
security patch 523 can be regarded as a state transition of theProtectionDomain 411.FIG. 15 is a schematic diagram illustrating dynamic changing of policy expressed in the form of state transition of the ProtectionDomain. TheProtectionDomain 411 and thePermissionCollection 412 with respect to theapplication 32 are illustrated inFIG. 15 . Theapplication 32 represents an instance of thecurrent application 30. - In
FIG. 15 , theProtectionDomain 411 includes four states which are state PD_Lv3, state PD_Lv3+, state PD_Optimize, and state PD_Performance. - The state PD_Lv3 occurs prior to the policy being dynamically changed by the
security patch 523. In this state, regular access authorization with respect to Lv3 is permitted. - The state PD_Lv3+ is where authorization for reading the password file (Password.txt) is permitted in addition to permitting the authorization of Lv3.
- The condition for this transition to this state is that the method [Password. getPassword] is being executed based on the
permission entry 5231 of the security patch 523 (seeFIG. 11 ). However, in this embodiment, the password flag being set as “1” by the State entry of thepermission entry 5231 serves as a guard condition. - The state PD_Optimize is where all access authorizations are granted. The condition for this transition to this state is that the method [Apli1:init] is being executed based on the
permission entry 5232 in a case where the performance flag (performanceFlag) is set with a value “2”. - The state PD_Performance is where all access authorizations are permitted. The condition for this transition to this state is that [Apli1:dispPassWord] is being executed based on the
permission entry 5233 in a case where the performance flag (performanceFlag) is set with a value “3”. -
FIG. 16 is a sequence diagram for describing processes performed when dynamically changing policy.FIG. 16 illustrates processes performed in a case where theapplication 32 requests to refer to a password file. - In
FIG. 16 , [apli1:Apli1] represents the class name of the current application 32 (Apli1) and the identification name of the instance (apli1). Thecurrent application 32 has access authorization corresponding to a protection domain of Lv3 (that is, a security level of Lv3 is assigned to the current application 23). In this embodiment, aPassword 421 and aPassWordAccess 422 are instances of the Password class and PassWordAccess class loaded into theJSDK platform 40 for accessing the password file (Password. txt). The Password class has access authorization corresponding to a protection domain of Lv2. The PassWordAccess class has access authorization corresponding to a protection domain of Lv1. Further, sm:SecurityManager 413 is an instance of a class generated for this embodiment by extending a Security Manager class according to the Java (Registered Trademark) standard. - As illustrated in
FIG. 16 , in terms of permission (access authorization) regarding password files according to thepolicy configuration file 70, permission to read and permission to write are granted to Lv1 while permission to read is granted to Lv2. On the other hand, neither permission to read nor permission to write is granted to Lv3. - For example, when a dispPassWord method of the
current application 32 is called, thecurrent application 32 calls a getPassWord method of thePassword 421 in order to obtain password information recorded in a storage device of the multifunction machine 10 (Step S201). Then, a read method (request for referring to password file) is called in the getPassWord method of the Password 421 (Step S202). Because thePasswordAccess 422 is a class which directly accesses the password file, thepassword access 422 queries whether permission to read the password file is granted by calling the checkPermission method of the sm:SecurityManager 413 in the read method (Step S203). - Then, the sm:
SecurityManager 413 obtains aProtectionDomain 411 corresponding to thecurrent application 32 from the current application 32 (Step S204). It is to be noted that, sm:SecurityManager 413 can identify the current application 32 (class of the current application 32) attempting to access the password file by tracing stack information. - Then, sm:
SecurityManager 413 reports that a Apli1:dispPassword method or a Password:getPassword method is called to the ProtectionDomain (Step S205). According to the report, theProtectionDomain 411 determines whether state transition is necessary according to the security patch 523 (seeFIG. 11 ) of thecurrent application 32. - In this example, a CalledByfield ([CalledBy “Password:getPassWord”]) is added to the
permission entry 5231 of thesecurity patch 523, and the report of Step S205 matches the condition of the CalledBy field. Therefore, theProtectionDomain 411 changes (conducts transition of) its state PD_Lv3 to a state PD_Lv3+ and validates thepermission entry 5231. This state transition corresponds to adding a FilePermission object corresponding to thepermission entry 5231 to the PermissionCollection 412 (Step S206). - However, in this state, the Apli1:dispPassWord method is in the middle of being executed. Therefore, in a case where the value of the performance flag (performanceFlag) is “3”, the
ProtectionDomain 411 changes (conducts transition) to a PD_Optimize state and validates thepermission entry 5233. In this case, the AllPermission object is added to thePermissionCollection 412. - Assuming that the method being executed (i.e. the method called in Step S201) is Apli1:init in a case where the value of the performance flag (performanceFlag) is “2”, the
ProtectionDomain 411 changes (conducts transition) to the PD_Optimize state and validates thepermission entry 5232. In this case, the AllPermission object is added to thePermissionCollection 412. - Then, the sm:
SecurityManager 413 obtains thePermissionCollection 412 from the ProtectionDomain 411 (Step S207). Then, the sm:SecurityManager 413 queries whether permission to read the password file is granted to the PermissionCollection 412 (Step 208). ThePermissionCollection 412 determines whether reading permission is granted by confirming whether a Permission object corresponding to reading permission with respect to the password file is included in itself. In this example, the Permission object is added in Step S206. Therefore, thePermissionCollection 412 responds to the query by sending a determination result indicating that the reading permission is granted (Step S209). - Then, the sm:
Security Manager 413 reports exiting from the [Password:getPassword] to the ProtectionDomain 411 (Step S210). In response to the report, theProtectionDomain 411 changes (conducts transition of) itself to its initial state (PD_Lv). Technically, the sm: Security Manager does not exit from the [Password:getPassword] at this timing of reporting to theProtectionDomain 411. However, in this embodiment, the exiting is reported at this timing because an event with respect to theProtectionDomain 411 is issued by theSecurityManager 413. - Then, the sm:
SecurityManager 413 communicates that access permission (reading permission) is granted to the PasswordAccess 422 (Step S211). In response to the grant, the password file is read. In a case where access permission is not granted, the sm:SecurityManager 413 issues an exception. This exception is reported to thecurrent application 32. - In this embodiment, the event of the
ProtectionDomain 411 is issued by the sm:SecurityManager 413. Alternatively, the event may be issued by thecurrent application 32. - With the above-described
multifunction machine 10, a policy statically defined in thepolicy configuration file 70 can be dynamically changed based on thesecurity patch 523. Therefore, the flexibility of access control by a program can be satisfactorily improved. - The above-described embodiment is an example where an entry with a CalledBy field or a State field added is validated (i.e. permission is granted to the entry). Alternatively, the entry with the CalledBy field or the State field added may be invalidated (i.e. permission may be denied to the entry). In such an alternative case, only permission narrower than initially granted permission may be granted in a specific case.
- The above-described security function and mechanism with respect to the
JSDK application 30 exhibit greater effectiveness in a case where procedures from development and operation of theJSDK application 30 are appropriately executed. Next, an example of procedures (business model) starting from development to operation of theJSDK application 30 is described. -
FIG. 17 is a schematic diagram for describing the example of procedures (business model) starting from development to operation of theJSDK application 30. - First, a multifunction machine vendor (manufacturer of the
multifunction machine 10 or an entity providing sales and maintenance or the like of the multifunction machine 10) sells a package including aJSDK application 30 for realizing basic functions of the JSDK platform 40 (hereinafter also referred to as “JSDK package”) (Step S501). The multifunction machine vendor attaches a signature 33 beforehand to, for example, theJSDK application 30 included in the JSDK package. TheJSDK application 30 included in the JSDK package is developed by the multifunction machine vendor and is assigned with a high credibility security level such as Lv1 or Lv2. - The user of the
multifunction machine 10 purchases the JSDK package (Step S502) and installs, for example, theJSDK platform 40 in themultifunction machine 10 of the user (Step S503). The user activates (uses), for example, theJSDK platform 40 and theJSDK application 30 according to necessity (Step S504). - On the other hand, an application development vendor, serving to develop a
JSDK application 30 with extended functions, obtains (purchases) theJSDK platform 40 to be used as a platform for development purposes and develops anew JSDK application 30 on the JSDK platform 40 (Step S505). Then, the application development vendor fabricates an application development request form (Step S506) and requests approval of selling the newly developedJSDK application 30 by sending a JAR file of the newly developedJSDK application 30 together with the application development request form to the multifunction vendor (Step S507). -
FIG. 18 is a schematic diagram illustrating an example of the application development request form.FIG. 18 illustrates the application development request form including items such as a service bundle, security level, security patch, security patch reason, and performance. - The “service bundle” is an item in which the name of the service bundle used by the
JSDK application 30 requested for approval (hereinafter referred to as “request target application”) is written. The “security level” is an item in which the security level desired for the request target application is written. The “security patch” is an item in which thesecurity patch 524 according to the format illustrated inFIG. 6 is written according to necessity. The “security patch reason” is an item in which a reason for requiring thesecurity patch 524 is written. The “performance” is an item in which a tradeoff between performance and security of the request target application is written. In this example, relationships between performance and security are written in different levels. A method for invalidating the checking of security (checking of permission (access authorization)) for each level is written. InFIG. 18 , the relationships are divided into three levels and written as a) prioritize security, b) optimum, and c) prioritize performance. - When the multifunction machine vendor receives the request for approval (Step S508), the multifunction machine vendor evaluates (tests) the request target application (Step S509). For example, in the evaluation, verification of whether the amount of resources consumed by the request target application is within a predetermined limit and whether there are any security violations (whether the security patch is appropriate). If the request target application is evaluated as being acceptable, the multifunction machine vendor fabricates a distribution package for the request target application (Step S510). The distribution package includes, for example, a JAR file of the request target application and the
application management file 51. Further, the signature 33 is attached to the JAR file according to the requested security level. It is to be noted that the multifunction machine vendor fabricates the signature 33 and theapplication management file 51 based on the application development request form. Next, the multifunction machine vendor provides the distribution package to the application development vendor (Step S511). - Then, the application development vendor receives the distribution package (Step S512) and sells the distribution package (Step S513) to the user. When the user purchases the distribution package (Step S514), the user installs the
JSDK application 30 included in the distribution package in themultifunction machine 10 of the user (Step S515). Then, the user activates the JSDK application 30 (Step S516). Then, the user operates the JSDK application 30 (Step S517). - With the above-described procedures, the JSDK application developed by the application development vendor can be assigned a security level and be permitted to apply the
security patch 524 under management by the multifunction machine vendor. Therefore, unauthorized execution of applications can be effectively prevented. - With the image forming apparatus, the access controlling method, and the computer-readable recording medium according to the above-described embodiment of the present invention, flexible control of access to programs can be improved.
- The present invention is not limited to the specifically disclosed embodiments, and variations and modifications may be made without departing from the scope of the present invention.
- The present application is based on Japanese Priority Application No. 2008-118619 filed on Apr. 30, 2008, with the Japanese Patent Office, the entire contents of which are hereby incorporated herein by reference.
Claims (15)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2008-118619 | 2008-04-30 | ||
JP2008118619A JP5037422B2 (en) | 2008-04-30 | 2008-04-30 | Image forming apparatus, access control method, and access control program |
Publications (2)
Publication Number | Publication Date |
---|---|
US20090276826A1 true US20090276826A1 (en) | 2009-11-05 |
US9135468B2 US9135468B2 (en) | 2015-09-15 |
Family
ID=41258025
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/423,884 Active 2031-07-27 US9135468B2 (en) | 2008-04-30 | 2009-04-15 | Apparatus, method, and computer-readable recording medium for access control |
Country Status (2)
Country | Link |
---|---|
US (1) | US9135468B2 (en) |
JP (1) | JP5037422B2 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9372983B2 (en) | 2012-03-14 | 2016-06-21 | Samsung Electronics Co., Ltd. | Apparatus and method of controlling permission to applications in a portable terminal |
US20200037000A1 (en) * | 2018-07-30 | 2020-01-30 | Ricoh Company, Ltd. | Distribution system, client terminal, and method of controlling display |
WO2020036265A1 (en) * | 2018-08-16 | 2020-02-20 | Hewlett-Packard Development Company, L.P. | Method for protecting personal information in image forming apparatus |
US10855857B2 (en) | 2018-09-27 | 2020-12-01 | Ricoh Company, Ltd. | Information processing system to register a service to a target device |
US10911624B2 (en) | 2018-11-30 | 2021-02-02 | Ricoh Company, Ltd. | Server, method of controlling data communication, and storage medium |
US11095780B2 (en) | 2018-11-29 | 2021-08-17 | Ricoh Company, Ltd. | Information processing apparatus for automatically determining a transmission destination of image data |
US11153401B2 (en) | 2018-09-28 | 2021-10-19 | Ricoh Company, Ltd. | Information processing system, information processing apparatus, and method of processing information |
US11431874B2 (en) | 2018-11-28 | 2022-08-30 | Ricoh Company, Ltd. | Information processing system to securely upload image data |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8677506B2 (en) | 2009-12-03 | 2014-03-18 | Osocad Remote Limited Liability Company | System and method for loading application classes |
JP6720795B2 (en) | 2016-09-16 | 2020-07-08 | 株式会社リコー | Equipment, information processing device, information processing system, information processing method, and program |
JP6870311B2 (en) | 2016-12-16 | 2021-05-12 | 株式会社リコー | Information processing systems, equipment, information processing methods and programs |
JP6935291B2 (en) * | 2017-09-29 | 2021-09-15 | キヤノン株式会社 | Image forming apparatus and its control method |
JP7119844B2 (en) | 2018-03-05 | 2022-08-17 | 株式会社リコー | Information processing system, information processing device, information processing method and program |
WO2021014633A1 (en) * | 2019-07-25 | 2021-01-28 | 富士通株式会社 | Information processing system, access control device, access control method, and access control program |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5987611A (en) * | 1996-12-31 | 1999-11-16 | Zone Labs, Inc. | System and methodology for managing internet access on a per application basis for client computers connected to the internet |
US6289462B1 (en) * | 1998-09-28 | 2001-09-11 | Argus Systems Group, Inc. | Trusted compartmentalized computer operating system |
US20040019565A1 (en) * | 2002-07-25 | 2004-01-29 | Chris Goringe | Periodic software licensing system |
US20040193987A1 (en) * | 1995-07-13 | 2004-09-30 | Sospita As | Protection of software code from unauthorized use by executing portions of the code in a secure computer environment separate from the environment that executes the remaining portions of the code |
US6850943B2 (en) * | 2002-10-18 | 2005-02-01 | Check Point Software Technologies, Inc. | Security system and methodology for providing indirect access control |
US20080005029A1 (en) * | 2006-06-07 | 2008-01-03 | Mitsuo Ando | Image forming apparatus, license management method, and license management program product |
US20080014912A1 (en) * | 2003-05-15 | 2008-01-17 | Osamu Otaka | Cooperative Operation Method, Mobile Communication Terminal Thereof, Mail Transceiving Method, And Communication System |
US20090328169A1 (en) * | 2006-01-25 | 2009-12-31 | Keith Hutchison | Apparatus and method for convenient and secure access to websites |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3537245B2 (en) * | 1996-01-08 | 2004-06-14 | 富士通株式会社 | Information management system |
JP2002182983A (en) * | 2000-12-13 | 2002-06-28 | Sharp Corp | Method for controlling access to database, database unit, method for controlling access to resources and information processor |
JP4625343B2 (en) | 2004-02-17 | 2011-02-02 | 株式会社リコー | Image forming apparatus, terminal apparatus, information processing method, information processing program, and recording medium |
JP2005250974A (en) | 2004-03-05 | 2005-09-15 | Ricoh Co Ltd | Apparatus, method and program for software development, software, recording medium, image forming apparatus, and electric apparatus |
JP2006079211A (en) | 2004-09-07 | 2006-03-23 | Ricoh Co Ltd | Image formation apparatus, information processing method, information processing program and recording medium |
JP2007328770A (en) * | 2006-05-10 | 2007-12-20 | Ricoh Co Ltd | Information processor, access control method, access control program, recording medium and image forming device |
-
2008
- 2008-04-30 JP JP2008118619A patent/JP5037422B2/en active Active
-
2009
- 2009-04-15 US US12/423,884 patent/US9135468B2/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040193987A1 (en) * | 1995-07-13 | 2004-09-30 | Sospita As | Protection of software code from unauthorized use by executing portions of the code in a secure computer environment separate from the environment that executes the remaining portions of the code |
US5987611A (en) * | 1996-12-31 | 1999-11-16 | Zone Labs, Inc. | System and methodology for managing internet access on a per application basis for client computers connected to the internet |
US6289462B1 (en) * | 1998-09-28 | 2001-09-11 | Argus Systems Group, Inc. | Trusted compartmentalized computer operating system |
US20040019565A1 (en) * | 2002-07-25 | 2004-01-29 | Chris Goringe | Periodic software licensing system |
US6850943B2 (en) * | 2002-10-18 | 2005-02-01 | Check Point Software Technologies, Inc. | Security system and methodology for providing indirect access control |
US20080014912A1 (en) * | 2003-05-15 | 2008-01-17 | Osamu Otaka | Cooperative Operation Method, Mobile Communication Terminal Thereof, Mail Transceiving Method, And Communication System |
US20090328169A1 (en) * | 2006-01-25 | 2009-12-31 | Keith Hutchison | Apparatus and method for convenient and secure access to websites |
US20080005029A1 (en) * | 2006-06-07 | 2008-01-03 | Mitsuo Ando | Image forming apparatus, license management method, and license management program product |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9372983B2 (en) | 2012-03-14 | 2016-06-21 | Samsung Electronics Co., Ltd. | Apparatus and method of controlling permission to applications in a portable terminal |
US20200037000A1 (en) * | 2018-07-30 | 2020-01-30 | Ricoh Company, Ltd. | Distribution system, client terminal, and method of controlling display |
US11057644B2 (en) * | 2018-07-30 | 2021-07-06 | Ricoh Company, Ltd. | Distribution system, client terminal, and method of controlling display |
WO2020036265A1 (en) * | 2018-08-16 | 2020-02-20 | Hewlett-Packard Development Company, L.P. | Method for protecting personal information in image forming apparatus |
US11290618B2 (en) | 2018-08-16 | 2022-03-29 | Hewlett-Packard Development Company, L.P. | Method for protecting personal information in image forming apparatus |
US10855857B2 (en) | 2018-09-27 | 2020-12-01 | Ricoh Company, Ltd. | Information processing system to register a service to a target device |
US11153401B2 (en) | 2018-09-28 | 2021-10-19 | Ricoh Company, Ltd. | Information processing system, information processing apparatus, and method of processing information |
US11431874B2 (en) | 2018-11-28 | 2022-08-30 | Ricoh Company, Ltd. | Information processing system to securely upload image data |
US11095780B2 (en) | 2018-11-29 | 2021-08-17 | Ricoh Company, Ltd. | Information processing apparatus for automatically determining a transmission destination of image data |
US10911624B2 (en) | 2018-11-30 | 2021-02-02 | Ricoh Company, Ltd. | Server, method of controlling data communication, and storage medium |
Also Published As
Publication number | Publication date |
---|---|
US9135468B2 (en) | 2015-09-15 |
JP5037422B2 (en) | 2012-09-26 |
JP2009271567A (en) | 2009-11-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9135468B2 (en) | Apparatus, method, and computer-readable recording medium for access control | |
US8112814B2 (en) | Information processing apparatus, access control method, access control program product, recording medium, and image forming apparatus | |
US9740836B2 (en) | Licensing for each of software modules of application for execution on the apparatus | |
US7069554B1 (en) | Component installer permitting interaction among isolated components in accordance with defined rules | |
US8543607B2 (en) | System and method for role based analysis and access control | |
EP0843249B1 (en) | Dynamic classes of service for an international cryptography framework | |
US20020144257A1 (en) | Image formation system, software acquisition method, and computer product | |
US9792159B2 (en) | Program determining apparatus and program determining method | |
US20030145219A1 (en) | Parameter verification in an authentication system and method | |
US9659154B2 (en) | Information processing system, information processing apparatus, method of administrating license, and program | |
US9529982B2 (en) | Method and apparatus to manage user account of device | |
US8353051B2 (en) | Image forming apparatus, access control method, access control program and computer readable information recording medium | |
US20040193917A1 (en) | Application programming interface to securely manage different execution environments | |
US9274775B2 (en) | Apparatus, control method, and storage medium to instruct a framework to stop a target application based on a usage amount of a resource and a type of the target application | |
US20120096465A1 (en) | Image forming apparatus, log management method, and storage medium | |
US8429727B2 (en) | Authentication control apparatus and authentication control method | |
US20140233064A1 (en) | Image forming device, log recording method, and computer-readable recording medium | |
US20090217349A1 (en) | Image forming apparatus, information processing method, and computer-readable recording medium storing information processing program | |
US20110093813A1 (en) | Image forming apparatus and program controlling method | |
JP2003283494A (en) | Access control method of communication terminal, certification program providing device, management device and communication terminal | |
US20030145220A1 (en) | Extensible authentication system and method | |
JP4787594B2 (en) | Apparatus, security management method, security management program, and recording medium | |
US20090070856A1 (en) | Image forming apparatus and utilization limiting method | |
JP5477425B2 (en) | Information processing apparatus, access control method, access control program, and recording medium | |
JP2013152743A (en) | Device, security management method, security management program and recording medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: RICOH COMPANY, LTD., JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ANDO, MITSUO;REEL/FRAME:022547/0688 Effective date: 20090410 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |